I've found this listpost: http://marc.info/?l=openbsd-misc&m=130951991404687&w=2
I will ask [email protected] if it is possible to put this feature on the roadmap. Regards, Erwin 2015-05-08 9:28 GMT+02:00 Erwin Schliske <[email protected]>: > Hello, > > I have one question regarding ipsec with NAT. > > With one customer I have to setup a site2site vpn. To avoid address > conflicts I'd use NAT. Because multiple of our subnets have to use the > tunnel, I have this config in ipsec.conf: > > ike esp from {192.168.10.0/24 (192.168.1.0/24),192.168.10.0/24 ( > 192.168.2.0/24),192.168.10.0/24 (192.168.3.0/24)} to 10.78.1.0/24 \ > peer <dest gateway> \ > local <my gateway> \ > main auth hmac-sha2-256 enc aes-256 group modp1536 lifetime 28800 \ > quick auth hmac-sha2-256 enc aes-256 group modp1536 lifetime 3600 \ > psk XXXXXXXXXX > > In my pf.conf I have the NAT rules > > match out on $if_ipsec from 192.168.1.0/24 to 10.78.1.0/24 nat-to > 192.168.10.1 > match out on $if_ipsec from 192.168.2.0/24 to 10.78.1.0/24 nat-to > 192.168.10.2 > match out on $if_ipsec from 192.168.3.0/24 to 10.78.1.0/24 nat-to > 192.168.10.3 > > But when I test the tunnel, I see only packets for the subnet > 192.168.3.0/24 enter the tunnel. The other subnets don't get a connection. > > Is this setup not possible or do I have an error in config? > > > Thanks. > > > Regards, > Erwin
